Most AI systems process personal data. A CV screening tool processes candidates' personal information. A credit scoring model processes financial and behavioural data. A customer support chatbot processes names, account details, and conversation content. For all of these, both GDPR and the EU AI Act apply simultaneously — creating a layered compliance obligation that many organisations are still working through.

This guide maps the overlap, explains where the two regulations interact, and identifies where a unified approach can satisfy both.

The Two Regulations at a Glance

| Dimension | GDPR | EU AI Act | |-----------|------|-----------| | Full name | General Data Protection Regulation (2016/679) | Artificial Intelligence Act (2024/1689) | | In force | 25 May 2018 | 1 August 2024 (phased) | | What it protects | Personal data and the rights of data subjects | Safety, fundamental rights, and transparency in AI systems | | Enforcement | Data Protection Authorities (national) | National AI supervisory authorities + AI Office (EU level) | | Max fine | €20M or 4% of global annual turnover | €35M or 7% (prohibited AI); €15M or 3% (high-risk) | | Supervisory body | DPA (e.g. ICO, CNIL, BfDI) | National AI authority + European AI Office |

Both regulations apply independently. Compliance with one does not satisfy the other. However, where obligations overlap, a single compliance activity can satisfy both — if designed correctly.

Where They Overlap

The overlap occurs wherever an AI system processes personal data — which, in practice, is the majority of commercial AI systems. GDPR governs the data; the AI Act governs the AI system processing that data. Both frameworks apply to the same underlying activity.

1. Automated Decision-Making

GDPR Article 22 gives data subjects the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects — and requires that, where such decisions are made, the data subject has the right to obtain human intervention, express their point of view, and contest the decision.

EU AI Act high-risk obligations (Annex III includes credit scoring, employment screening, access to essential services) require human oversight mechanisms: a human must be able to understand, monitor, and override the system's output.

Combined compliance action: Design human-in-the-loop processes that satisfy both Article 22 and the AI Act's human oversight requirement simultaneously. Document both in your AI system technical documentation and in your GDPR records.

2. Data Governance

GDPR requires data minimisation (Art. 5(1)(c)) — only data adequate and limited to what is necessary for the specified purpose may be collected and used.

EU AI Act requires that training, validation, and testing datasets for high-risk AI systems meet quality criteria — free from errors, sufficiently representative, and relevant to the intended purpose (Art. 10).

Combined compliance action: A single data governance policy that defines data selection criteria for AI training, documents representativeness and bias assessments, and ensures alignment with GDPR's purpose limitation and minimisation principles satisfies both.

3. Transparency

GDPR requires that data subjects be provided with clear information about automated processing, including meaningful information about the logic involved, and the significance and envisaged consequences of such processing (Arts. 13–14, 22(3)).

EU AI Act requires that deployers of high-risk AI systems inform natural persons who are subject to the output of such systems that they are subject to a high-risk AI system (Art. 26(7)), and that providers document AI system capabilities and limitations.

Combined compliance action: Design a layered disclosure that satisfies both: a GDPR-compliant privacy notice explaining automated processing, supplemented by an AI Act-compliant transparency notice explaining what the AI system does and its limitations.

4. Impact Assessments

GDPR Article 35 requires a Data Protection Impact Assessment (DPIA) for processing that is likely to result in a high risk to the rights and freedoms of natural persons — including systematic and extensive automated profiling with significant effects, processing of special category data at scale, and systematic monitoring of publicly accessible areas.

EU AI Act high-risk system registration and conformity assessments also require documenting risks, mitigation measures, and fundamental rights impacts.

Combined compliance action: Conduct a single, unified AI + Data Impact Assessment that covers GDPR Art. 35 DPIA requirements and EU AI Act risk management documentation simultaneously. Structure sections to address both legal frameworks, share the underlying risk analysis, and produce two referenced outputs. This avoids duplication and ensures consistency.

Compliance Efficiency: A Unified AI Governance Framework

Rather than running separate GDPR and AI Act compliance programmes, consider building a unified AI system governance framework that:

Maintains a single AI system inventory that captures both GDPR data flows and AI Act risk classifications for each system
Uses a combined impact assessment template that produces both a DPIA and AI Act risk documentation
Establishes one human oversight process that satisfies both Art. 22 GDPR and AI Act Art. 14
Applies a single transparency standard to all AI-driven communications with data subjects
Feeds incidents into a combined reporting workflow for both GDPR data breaches and AI Act serious incident reporting

Example: Six AI Systems — Combined Classification

| AI System | GDPR Classification | AI Act Classification | Combined Compliance Actions | |-----------|--------------------|-----------------------|-----------------------------| | CV screening tool | High risk (profiling, significant effects) | High-risk (Annex III — employment) | DPIA + AI Act conformity assessment; human oversight; transparency to candidates | | Customer support chatbot | Standard processing | Limited-risk (Art. 50) | GDPR privacy notice; disclose AI interaction to users | | Credit scoring model | High risk (significant financial effects) | High-risk (Annex III — essential services) | DPIA + conformity assessment; Art. 22 rights; human override | | Fraud detection (internal) | Standard processing | Likely minimal-risk | GDPR Art. 32 security measures; no additional AI Act obligations | | Product recommendation engine | Standard processing | Minimal-risk | GDPR consent/LI basis; voluntary AI Act codes | | Employee performance monitoring | High risk (employment profiling) | High-risk (Annex III — employment) | DPIA + conformity assessment; works council consultation (national law); Art. 22 rights |

Last updated: April 2026. For informational purposes only — not legal advice.

Frequently Asked Questions

Do GDPR and the EU AI Act have the same supervisory authority?

No. GDPR is enforced by national Data Protection Authorities (DPAs) — such as the ICO in the UK, CNIL in France, and BfDI in Germany. The EU AI Act is enforced by national AI supervisory authorities designated under Article 70, alongside the European AI Office at EU level for general-purpose AI models. Where an AI system processing personal data is investigated, both the DPA and the national AI authority may have jurisdiction simultaneously, and coordination between them is expected but not yet fully codified in practice.

Does GDPR's lawful basis also satisfy EU AI Act data governance requirements?

Not entirely. GDPR requires a lawful basis under Article 6 for any processing of personal data, and Article 9 for special category data. The EU AI Act adds separate data governance requirements for high-risk AI systems under Article 10 — training, validation, and testing datasets must meet quality criteria including representativeness, freedom from errors, and relevance to the intended purpose. A valid GDPR lawful basis does not automatically satisfy Article 10 data quality standards; both sets of requirements must be addressed independently in your documentation.

Which regulation takes precedence when GDPR and the EU AI Act conflict?

GDPR applies as a regulation with direct effect across all EU member states and is not displaced by the AI Act. Recital 9 of the EU AI Act explicitly states that it complements GDPR and does not reduce any data protection obligations. Where obligations appear to conflict — for example, where AI Act transparency requirements interact with GDPR data minimisation — both must be satisfied simultaneously. If genuine conflict arises, legal advice specific to the jurisdiction and context is necessary; neither instrument expressly grants precedence to the other.

Sources

Regulation (EU) 2024/1689 — EU Artificial Intelligence Act — Full text of the EU AI Act, including Article 10 (data governance), Article 14 (human oversight), and Article 26 (deployer obligations).
Regulation (EU) 2016/679 — General Data Protection Regulation (GDPR) — Full text of the GDPR, including Article 5 (principles), Article 22 (automated decision-making), and Article 35 (DPIA).
EDPB Opinion 28/2024 on the interplay between the GDPR and the AI Act — European Data Protection Board analysis of how GDPR and the AI Act interact, including on lawful basis and data governance requirements.
European AI Office — AI Act implementation resources — European Commission portal for AI Office guidance, codes of practice, and implementing acts under the EU AI Act.

GDPR vs EU AI Act: How the Two Regulations Overlap

What you need to know: GDPR vs EU AI Act: How the Two Regulations Overlap